Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
IN3210/4210 Network and Communications Security
Wireless LAN (WLAN) security
Nils NordbottenOctober 2020
IN3210/4210
In wireless networks, attacks can be performed with low risk from a distance without access to network components
● Passive attacks- Eavesdropping - Traffic analysis
● Active attacks- Masquerade (including rogue AP)- Replay- Message modification- Denial of service (including jamming)- Unauthorized use (misappropriation)
2
Non-invasive and basically impossible to detect
Hard to trace
2
IN3210/4210
Higher frequencies generally have shorter range
3
10
1
2
5
5
2
5
2
5
2
5
2
52 52 2102101
10–3
10–2
10–1
102
3.5
Frequency (GHz)
Speci
fic at
tenua
tion (
dB/km
)
Pressure: 1 013 hPaTemperature: 15° C
Water vapour density: 7.5 g/m 3
Total
Total Dry air
Water vapour
WiGig(60 GHz)
Wi-Fi (2,4 and 5 GHz)
Signal attenuation depending on frequency
IN3210/4210
Optical Wireless Communication is limited by line of sight (may utilize reflections)
● LiFi - LED-lamps
● pureLiFis «LiFlame» - Ceiling Unit and Desktop Unit
4
3
IN3210/4210
Emission security is concerned with loss of confidentiality due to unintended compromising emanations
● Data may be reconstructed from electromagnetic emanations from monitors, computers, and other electrical devices (TEMPEST)
● Such emanations may also be amplified by a nearby radio transmitter, such as a WLAN or cell phone (NONSTOP)
● Leakage of information may also occur through sound or vibration
R. Anderson, Security Engineering: https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch19-7sep.pdf (or https://www.cl.cam.ac.uk/~rja14/Papers/SE-15.pdf)
5
IN3210/4210
Wireless devices may also pose a vulnerability to wired networks by introducing uncontrolled connections
6
Protected network
Internet
Where relevant, dual connections should automatically be disabled
4
IN3210/4210
Mobile and wireless devices may pose an increased security risk
● Lack of physical security controls – may be easier for an attacker to steal, tamper with, or access a mobile device
● Unmanaged mobile devices (e.g., employees personal devices not controlled by the organization) and use of applications created by unknown parties
● Use of untrusted networks – e.g., more susceptible to eavesdropping and MITM attacks and exposure to untrusted content – e.g., mobile devices may be exposed to other content (e.g., QR codes identifying a URL) than other computing devices
● Interaction with other systems – e.g., automatic device synchronization may result in data being stored in untrusted external location
● Multiple sensors (microphone, camera, accelerometer, GPS/location, wireless radio receiver,…)
7
IN3210/4210
Darkhotel APT – attacks on selected high-profile guests using hotel networks
● Guest entered last name and room number to access network
● Login portal was used to redirect to the phony installers who informed user to install software update
● Update contained digitally signed Darkhotel backdoors- Broke weak certificates (512-bit keys)- Also used 2048-bit certificates, stolen?
8
5
IN3210/4210
WLAN security evolution from WEP to WPA2/IEEE 802.11i
● Wired Equivalent Privacy (WEP) – part of 802.11 standard (1999)- Flawed authentication - Weak/flawed encryption (key reuse due to 24-bit IV)- Flawed integrity (RC4 encrypted CRC)
● WPA (Wi-Fi Protected Access) interoperability certification (2003)- Interim solution based on subset of 802.11i draft- Based on WEP, but using Temporal Key Integrity Protocol (TKIP)
● IEEE 802.11i standard (2004) – Robust Security Network- Amendment to 802.11 standard - CCMP (AES)
● WPA2 - interoperability certification for 802.11i implementations (2004)
● IEEE 802.11ad (2012) adds support for GCM Protocol (GCMP)- WiGig (60 GHz)- IEEE 802.11ac (2013) extends GCMP with support for 256-bit keys
9
IN3210/4210
Wi-Fi Protected Access (WPA) 3 was standardized in 2018 by the Wi-Fi alliance
● Requires protected management frames
● WPA3-SAE (Simultaneous Authentication of Equals)- Replacement for WPA2-Personal/PSK- Originally developed for mesh networks (802.11s)- Specified in IEEE 802.11-2016
● WPA3-Enterprise 192-bit mode- (EC)DHE key exchange, using RSA or ECDSA for authentication- AES256-GCM (GCMP-256) for authenticated encryption- HMAC-SHA384 for key derivation and confirmation
10
6
IN3210/4210
IEEE 802 protocol stack and general 802 MAC PDU
Figu
res f
rom
: W. S
talli
ngs,
Net
wor
k Se
curit
y Es
sent
ials,
App
licat
ions
and
Sta
ndar
ds.
11
IN3210/4210
802.11 WLAN architecture: Station (STA), access point (AP), distribution system (DS), Basic Service Set (BSS), and Extended Service Set (ESS)
12
Othernetworks
STASTA
AP
BSS
Distribution System (DS)
AP
ESS
7
IN3210/4210
802.11i additionally introduces the Robust Security Network (RSN), the RSN Association (RSNA), and the Authentication Server (AS)
13
Othernetworks
STASTA
AP
RSN (BSS)
Distribution System (DS)
AP
ESS
AS
RSNA
Only provides link security (end-to-end security must be provided at a higher layer)
IN3210/4210
802.11i Robust Security Network (RSN) - Services and Protocols
14
(RC4, Michael)
(AES-CTR /-CBC-MAC)
WPA1 WPA2
WPA3 uses GCMP (AES-GCM)
Figu
re fr
om: W
. Sta
lling
s, N
etw
ork
Secu
rity
Esse
ntia
ls,
App
licat
ions
and
Sta
ndar
ds.
8
IN3210/4210
802.1X authentication and port based access control
15
Is this the authentic network?
Is this an authorized
station?
Figu
re fr
om: W
. Sta
lling
s, N
etw
ork
Secu
rity
Esse
ntia
ls,
App
licat
ions
and
Sta
ndar
ds.
IN3210/4210
802.11i RSN phases of operation
16 Figu
re fr
om: W
. Sta
lling
s, N
etw
ork
Secu
rity
Esse
ntia
ls,
App
licat
ions
and
Sta
ndar
ds.
9
IN3210/4210
Discovery and authentication (Phase 1 and 2)
17
Beacon may replace probe request/response when SSID is not hidden
EAP is skipped if using PSK
Master Session Key (MSK) establishedunless PSK is used Fi
gure
from
: W. S
talli
ngs,
Net
wor
k Se
curit
y Es
sent
ials
, A
pplic
atio
ns a
nd S
tand
ards
.
IN3210/4210
Pairwise and group key hierarchies (802.11i)
18 Figu
re fr
om: W
. Sta
lling
s, N
etw
ork
Secu
rity
Esse
ntia
ls,
App
licat
ions
and
Sta
ndar
ds.
10
IN3210/4210
Pseudorandom function (WPA2)
19
CCMP: PTK = PRF(PMK, «Pairwise key expansion» || AP&STA MAC adresses || nonces,384)
Figu
re fr
om: W
. Sta
lling
s, N
etw
ork
Secu
rity
Esse
ntia
ls,
App
licat
ions
and
Sta
ndar
ds.
IN3210/4210
4-way handshake establishing Pairwise Transient Key (PTK)(Phase 3)
20
PMK is known
PTK
PTK
GTK
Figu
re fr
om: W
. Sta
lling
s, N
etw
ork
Secu
rity
Esse
ntia
ls,
App
licat
ions
and
Sta
ndar
ds.
11
IN3210/4210
802.11i Protected Data Transfer Phase – alternative protocols
● Temporal Key Integrity Protocol (TKIP) (optional)- Only software changes from WEP in order to support legacy devices- Michael MIC- RC4 encryption, with new key for each frame- Transition solution- Also known as WPA
● Counter mode with CBC-MAC Protocol (CCMP) - Confidentiality, message authentication, and replay prevention- AES based (128-bit key)- Provides stronger security than TKIP- Also known as WPA2
● Galois Counter Mode Protocol (GCMP) is not part of the 802.11i specification, but was introduced later (including GCMP-256 in WPA3)
21
IN3210/4210
Wi-Fi Enhanced Open - Opportunistic Wireless Encryption (OWE) for open networks
● Opportunistic Wireless Encryption (RFC8110) – as an alternative to sending in cleartext
● Based on the use of unauthenticated Diffie-Hellman- Does not protect against active attackers (e.g., fake AP)
● Provides protection against passive attackers - Unique PMK for each connection, as opposed to WPA2-Personal when the same PSK is
(openly) shared
● Not part of the current WPA3 specification – but likely to be supported by many WPA3 devices/products
22
12
IN3210/4210
● 8 digit PIN, where last digit is checksum
● The validity of the first and second half is acknowledged independently
● Depending on implementation: unrestricted number of PIN attempts
● Wi-Fi Easy Connect (2018) provides a more recent alternative for both WPA2 and WPA3
Wi-Fi Protected Setup (WPS): providing easy WPA/WPA2 key configuration for Alice, Bob…..and Eve
23
10 000 000 combinations
10 000 + 1 000
IN3210/4210
“Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”(M. Vanhoef & F. Piessens, CCS 2017)
● Replay of handshake message results in keybeing reinitialized, including resetting nonce/IV - resulting in reuse of the keystream
● CCMP: attacker can replay and decryptpackets
● GCMP: Attacker can replay and decryptpackets, and forge packets in both directions
24
13
IN3210/4210
Given a weak network password, brute force or dictionary attacks are fully practical against WPA2-PSK
- Choose a strong network password (e.g., xFe>RLv6&s=@Q6q%&-'q7CGdI9)
- May use an uncommon SSID to mitigate use of rainbow tables in dictionary/brute-force attacks to find PMK/PTK (PSK is generated from SSID and password)
- (If applicable, disable WPS)
25
IN3210/4210
WPA3-Simultaneous Authentication of Equals (SAE) prevents offline dictionary/brute-force attacks
● Can only make one password guess per attack (i.e., per online authentication attempt)- Cannot perform dictionary/brute-force attacks off-line- Gains no information about password through eavesdropping
● Forward secrecy – compromise of the password will not disclose previous communication
● Compromise of shared (session) secret won’t help attacker in later sessions
● A variation of a the password authenticated key-exchange Dragonfly
● Successful attacks (password recovery) against WPA-3 Personal (https://wpa3.mathyvanhoef.com):
- Downgrade attacks against Transition Mode - Side-channel attacks
26
14
IN3210/4210
Disabling of identifier (SSID) broadcasting and MAC address filtering provides limited (if any) protection
● An implication of disabling SSID broadcasting at access points is that clients periodically must send queries for the SSID to discover it - The client machine may become more exposed and an attacker is able to discover the SSID
anyway
● MAC addresses are sent unencrypted and are easy to spoof
27
IN3210/4210
Final remarks - wireless network security
● WPA2 (i.e,. CCMP / AES) is a minimum for securing WLANs today
● PSK is not suitable/scalable beyond home networks
● WPA3 provides significant security improvements
● Higher layer security (e.g., VPN) may be used for additional security
28